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Abstract 

This paper offers a critical view of the "worst-case" approach that is the cornerstone of 
robust control design. It is our contention that a blind acceptance of worst-case scenarios 
may lead to designs that are actually more dangerous than designs based on probabilistic 
techniques with a built-in risk factor. The real issue is one of modeling. If one accepts that no 
mathematical model of uncertainties is perfect then a probabilistic approach can lead to more 
reliable control even if it cannot guarantee stability for all possible cases. Our presentation is 
based on case analysis. We first establish that worst-case is not necessarily "all-encompassing." 
In fact, we show that for some uncertain control problems to have a conventional robust 
control solution it is necessary to make assumptions that leave out some feasible cases. Once 
we establish that point, we argue that it is not uncommon for the risk of unaccounted cases 
in worst-case design to be greater than that of the accepted risk in a probabilistic approach. 
With an example, we quantify the risks and show that worst-case can be significantly more 
risky. Finally, wc join our analysis with existing results on computational complexity and 
probabilistic robustness to argue that the deterministic worst-case analysis is not necessarily 
the better tool. 



1 Introduction 

In recent years, a number of researchers have proposed probabilistic control methods as alterna- 
tives for overcoming the computational complexity and conservatism of deterministic worst-case 
robust control framework (e.g., [T]-|33j. |35]-|43j and the references therein). The philosophy 
of probabilistic control theory is to sacrifice extreme cases of uncertainty. Such paradigm has 
lead to the novel concepts of probabilistic robustness margin and confidence degradation function 
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(e.g., [2]). Despite the claimed advantages of probabilistic approach, the deterministic worst-case 
approach remains dominating for design and analysis purposes. It is a common contention that 
a probabilistic design is more risky than a worst-case design. Such a contention may have been 
the main obstacle preventing the wide acceptance of the probabilistic paradigm, especially in the 
development of highly reliable systems. When referring to the probabilistic approach, a cautious 
warning is usually attached. Statements like "if one is willing to accept a small risk of performance 
violation" can be found in a number of robust control papers. A typical argument is that the 
worst-case method takes every case of "uncertainty" into account and is certainly the most safe, 
while the probabilistic method considers only most of the instances of "uncertainty" and, hence, 
is more risky. 

We illustrate with two very simple cases that a worst case design may not necessarily consider 
all possible cases. Our purpose here is to make the point that the basic issue is one of modeling and 
as such it is never perfect. Worst-case scenario may mean "the worst case that we can imagine," 
or "the worst-case that we can afford to consider to have a robust solution." 

In practice, the coefficients of a linear model are complex functions of physical parameters. 
Even if the physical parameters are bounded in a narrow interval, the variations of the coefficients 
can be fairly large. A simple example is provided by the process of discharge of a cylindrical tank. 
The basic nonlinear model is of the form 

dH 

A— + pVH = Qi 
at 

where A is the tank cross section, H the height of liquid inside the tank, Qi the volumetric input 
flow rate and p the hydraulic resistance in the discharge. Linearizing in the neighborhood of a 
steady state operating point, (H, QA } satisfying pV~H = Qi one obtains the linear model 

— + - h = — 
dt 2AVTJ a 

with h = H — H,qi = Qi — Q,. Clearly, the parameter a = — ^= takes values in the interval 

2AVH 



(0, oo). Hence, any design assuming bounded uncertainties for the parameter, a, cannot include 
all possible heights for the liquid. 

For the second case consider a first order system of the form 

G(s) 



s — p 

with uncertain parameters q and p. Assuming a unity feedback and controller of the form 

K 

C(s) = , K>0, a>0 

s + a 

the closed loop system becomes 

Kq 



T(s) 



s 2 + (a — p)s + Kq — ap 
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The controller will robustly stabilize the plant if 

ap 

P<a, q > — . 

It is clear that for any finite controller gain K, there exist a range of values of q where the closed- 
loop system is unstable. The designer of a worst-case controller would be faced with the choice 
of selecting a different controller structure or assuming, based on other considerations, that a 
neighborhood of q = can be excluded from the design. With the next result we develop this 
point in a more general form. 

1.1 Uncertainties in Modeling Uncertainties 

In many practical situations of worst-case design one models uncertainties as bounded random 
variables. The issue of selecting the bounds is not trivial and is, oftentimes, not addressed in 
detail. The following theorem shows that, regardless of the assumed size of the uncertainty set, a 
worst-case robust controller actually can always fail. Hence, if there are "uncertainties in modeling 
the uncertainties" it may be better to model them as random variables varying from — oo to oo 
in order to pursue "worst-case" in a strict sense. 

Theorem 1 Let the transfer function of the uncertain plant be 

G(s) = ^T^4 7 > «o = l, I < k. 

Assume that for a given finite uncertainty range in the parameters cti, i = 1, • ■ ■ , K and 0j, j = 
0, 1, • • • ,£, there exists a controller of the form 

C(s) = 1 — , oo = l, &0 7^0, m<n 

which robustly stabilizes the system. Then, there always exists a value of parameter on or j3j , 
outside the assumed uncertainty range and which will make the closed-loop system unstable. 

Proof. The characteristic equation of the closed-loop system is 

\i=0 / \j=0 J \i=0 J \j=0 J 

which can be written as 

n+K m+l 

E (^)* n+K - r +E E ft) sm+ "~ L = °- 

r=0 i+j=T t=0 i+j=t 

0<i<n 0<i<m 

0<j<K o<j<e 
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For 1 < r < k, the coefficient of s n+K T is 



^2 («i a j) + ^2 ( b i Pj) = «r + c 

i+j — T i+j = T-\-m+i— {n+n) 

0<i<n 0<i<?n 
0<j<K 0<j<£ 



where 



s+j = T i+j = -r+m + « — (n+re) 

l<i<n 0<i<m 
0<j<K 0<j<l 

r-1 

i=max(0,T-n) i+j=T+m+£-(n+K) 

V ' 0<i<m 

o<j<e 

is independent of a T and depends on the other uncertainties. It follows that the system will be 
unstable if 

«r < -£• (1) 

In a similar manner, for < i < £, the coefficient of s m+ ^~ L is 



Q>iPj)+ Z (a i a i ) = 6 A + C 



i+j = t i+j = i + n+re-(m+f) 

0<i<m 0<i<n 
0<j<i 0<j<ft 



where 



i+j — L i+j = i + n + K-{m+t) 

l<i<m 0<i<n 
0<j<^ 0<j<fc 

j=max(0,i-m) i+j=t+n+«-(m+f) 

0<j<K 

is independent of /9 t and depends on the other uncertainties. It follows that the system will be 
unstable if 

&o A + C < o. (2) 
In the case that 6q > 0, the system is unstable when /3 t < In the case that bo < 0, the system 



is unstable when f5 L > 



bo' 

"So- 
Let B be the uncertainty bounding set assumed by the designer. Let T> be the set of all values 

of uncertainties for which the controller stabilizes the system. Obviously, B C D. From the 

stability conditions ([I]) and (|2|), we can conclude that V must be bounded. Taking into account 

the stability conditions and the fact that T> is bounded, we can see that there exist values of the 

parameters oti, 1 < i < k or j3j, < j < I that fall outside the domain D (of course they fall 

outside the assumed uncertainty range B) and make the system unstable. 

□ 
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Remark 1 A proof for an equivalent result for a multi-variable plant may be feasible. However, 
the following general argument conveys the idea about the limitations in worst case design. Assume 
that each instance of uncertainty is an element of n- dimensional vector space E n . Let G(s,q), q 6 
B C £ \ be the model for an uncertain plant. Assume that there exists a controller C w that satisfies 
the robustness requirements for all q £ B. Define now as V the set of all values of the parameter q 
where the controller C w satisfies the robustness requirements. Clearly T>z\ D B but unless T>z\ = £^ 
there always exist values of the parameter q where the controller does not perform. The worst-case 
design ignores these cases as impossible. Our contention is that the modeling of uncertainties (the 
set B ) may not include all cases that could occur and it may be better to accept a risk from the 
onset of the design. 

2 Accepting Risk Can Be Less Risky 

The previous result makes, very strongly, the point that worst-case modeling is not "all-encompassing" 
and therefore it has some risk associated to it. In this section we offer first a more formal de- 
scription of the problem and argue that a probabilistic approach may easily lead to more reliable 
designs. The next section uses a case study to quantify the actual risks of both approaches. 

2.1 Designing with Uncertain Uncertainties 

We incorporate the fact that modeling is never exact by postulating an uncertainty set, U and a 
bounding set, B, that models the uncertainties. The actual relationship between the two sets is 
not known. The worst-case design finds a controller C w to guarantee every uncertainty instance 
q 6 B. The probabilistic design seeks a controller C p to guarantee most uncertainty instances 
q £ B. Formally we can define the following relevant subsets 

M = unB, 
M = UnB, 
£ = unB. 

Here X denotes the complementary set of X. Clearly, M. contains those uncertainties that are 
modeled while the set M describes modeled uncertainties that never occur and £ describes the 
unmodeled uncertainties. The existence of these last two sets creates either inefficiencies or risks 
in the worst case design. To see this, consider the extreme situation where the designed robust 
controller guarantees the robustness requirement only for instances in B. The controller is over- 
designed because it deals with situations that cannot occur and it has the risk of failure if an 
instance in the set £ arises. 

Having established the fact that a robust control design can be risky, we now argue that prob- 
abilistic design can actually be less risky. As an added benefit, it is known that many worst-case 
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synthesis problems are either not tractable, or have known solutions which are unduly conser- 
vative and implementation expensive. But when using a probabilistic method, the previously 
intractable problems may become solvable, the conservatism may be overcame, and high perfor- 
mance controller with simple structure may be obtained. 

For brevity, we use notation C v to represent the statement that "the robustness requirement 
is violated for the system with controller C" . The subindex w will refer to worst-case design while 
p will refer to probabilistic design. Note that the risk of a probabilistic design is 

PP = Pr{C^ \qeM} Pr{U G M.} + Pr{C V | II G £} Pr{II G £}. 

V 

While the risk of a worst-case design is 

P™ = p r {C^ | q G £} Pr{II G £}. 

Hence the ratio of risks will be 

Pi _Pr{C^ \q££} Pr{C^ | q G .M}Pr{H G M] 

P™ ~ Pr{C£ | q G £} + Pr{CV\qe£}Pr{Ue£} ' (3) 
The first term is related to the performance of both types of controllers outside the design region. 
The behavior of the worst-case design in this region is of no concern to the designer, after all it 
"never gets there." All the design effort is placed in assuring performance over the set B. Hence 
we can reasonably expect Pr{C^ | q G £} to be high. In fact, if the set Af, of impossible situations 
included in the design, is large then Pr{C^ | q G £} could be close to one and the first term in the 
right-hand side of ([3]) can easily be less than some number A G (0, 1). The second term contains 
the factor Pr{C^ | q G A4} which is under the probabilistic designer and is a measure of the 
accepted risk. It is reasonable to expect that this risk is less than Pr{g G £} so that 

Pr{CV\qeM}Fr{KeM} v 



Pv{q G £} 



< (1 - A) Pr{C£ | q G £}. 



and consequently pfj- < 1. Factoring in a poor performance for the worst-case design outside of 
the modeled region one can see that the risk of the probabilistic design can become smaller than 
the risk of a worst-case design with unmodeled uncertainties. 

From a different point of view, many experiments of performance degradation of probabilistic 
designs indicate a fairly flat characteristic. If the unmodeled uncertainty set £ is relatively small 
then one could argue that 

Pr{C7 p y | q G £} « Pr{C V | H G A4} 

V 

and the ratio of risks is approximately given by 

Jf ^ Prjg; I q G M} 

Pf ~ Pr{C£ | q G £} Pr{H G £} U 
The numerator is under the control of the designer in a probabilistic approach while the denomi- 
nator has not even been considered as existing in a worst-case design. 
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3 Comparing Worst-Case and Probabilistic Designs 



The problem of quantifying the differences in performance between a worst-case design and a 
probabilistic design is extremely difficult in general. In this section we use a case study to quantify 
the risks and demonstrate that it is not uncommon for a probabilistic controller to be (highly) 
more reliable than a worst-case controller. We postulate that if the result holds for simple systems 
then it is also likely for more complex situations. 



Consider a feedback system as follows. 

r 



e 


C 


u 


G 


y 





















Figure 1: Standard Feedback Configuration 
The transfer function of the plant is 

G(s) 



q 



s — p 

where p and q are uncertain parameters. These parameters are assumed as independent Gaussian 

random variables with density AA(IL, au) and jV( a ) respectively and 

V 



po < 0, q > 
For the worst case design it is assumed that (q,p) £ £>(V) where 



(5) 



B(V) = {(§,t) 



II, I < V, 



sf 



is the uncertainty bounding set with radius r > 0. We use p Box to denote Pi{(q,p) G £>(V)}, i.e., 
the coverage probability of the uncertainty bounding set. It can be shown that 



pBox = erf erf 



V2 



(To 



where 



dcf 2 f x _ t 2 
erf(x) = —= / e dt. 

V 71 " Jo 

Hence, by increasing the radius r, one can reduce the uncertainty modeling error. 



Consider two controllers 



and 



C A = a > 

s + a 



C B = K B . 
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We assume further that 



(6) 



When using controller C A , the closed-loop transfer function is given by 

rp _ s+a s-p _ J^-AQ 



1 + s 2 + (a-p)s + K A q-ap 

which is stable if and only if 

p < a, p < q. 

a 

The deterministic stability margin of the system is given by 

p A = suplr > \ p + r < (g - r), p + r < a 

a 



which can be simplified as 



K A qo - a po 

p A = mm — ■ , a-po 

Ka + cl 



When using controller Cb, the closed- loop transfer function is given by 

T _ K B q 

s + K B q-p 

which is stable if and only if 

p < K B q. 

The deterministic stability margin of the system is given by 

p B = sup{r > | po + r < K B (qo - r)} 
Kb Qo - Po 
K B + 1 

For uncertainty bounding set with radius r G {pb, Pa), he., 



Kb Qo — Po ^ . ( K A qo-ap 

< r < mm — , a — po 1 , (7) 



K B + 1 V Ka + a 

controller B may make the system unstable while controller A robustly stabilizes the system. 
More specifically, controller B can only stabilize a proportion of the family of uncertain plants. 
Such a proportion, denoted by P(r), is referred to as proportion of stability, which is computed as 
the ratio of the volume of the set of parameters making the system stable to the total volume of 
the uncertainty box, i.e., 

vol{(g,p) G £>(V) | The system is stable for (q,p)} 
(r) = vol{£(V)} " 
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Here "vol" denotes the Lebesgue measure. More details are given in Appendix A where we show 
that the proportion of instability for controller B is given by 



1 



1 

2 2r 



Sr- 



for < r < pb] 

2 

- for p B <r < p* B ; 

for r > p* B 



(8) 



with 



Pb 



Kb qo - Po 



K B -I 

For an uncertainty bounding set with radius r £ (pb, Pa), controller B is actually a probabilistic 
controller because its proportion of stability is strictly less than 1. Obviously, controller A is 
a worst-case controller and is naturally considered to be more reliable than the probabilistic 
controller B. However, the following exact computation of probabilities of instability for both 
controllers reveals that the worst-case controller can actually be substantially more risky than the 
probabilistic controller. 

We use P Ca to denote PrjController Ca de-stabilizes the system}. We have derived an exact 
expression as 



pCA = ~ 
2vr 



1 



cxp 



9=0 



d8 + 



where 



and 



u = > 0, 

an 



2 sin 2 9 



exp 



-arctan(fc) 



a a„ 



w- 



2 sin 2 9 



df) 



(9) 



w 



9* = arctan 
For a proof of formula ©, see Appendix B. 



ku 



u — v 



€ (0,tt). 



We use P Cb to denote Pr{ Controller Cb de-stabilizes the system}. We have derived an exact 
expression as 

KbQo ~ Po 



1 1 

pC B = erf 

2 2 



<2{ol + Klaf 



(10) 



For a proof of formula (|10p . see Appendix C. 

A sufficient (but not necessary) condition for the worst-case controller to be more risky than 
the probabilistic controller (i.e., P Ca > P Cb ) is 



1 + 



K B err 



< 



K B go - Po 
a-po 



(11) 



which can be easily satisfied. For a derivation of condition (jlip . see Appendix D. 
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80 r 



- Stability boundary of worst-case controller A 
- Stability boundary of probabilistic controller B 
Uncertainty bounding set 



60 



40 ■ 



20 



-20 ■ 



-40 1 1 1 1 1 1 1 1 1 1 

-5 5 10 15 20 25 30 35 40 

Uncertain Parameter q 

Figure 2: Comparison of worst-case controller and probabilistic controller (r =17, a = 10, po = 
-10, q = 20, K A = 30, K B = 2, a p = 10, a q = 5) 
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Table 1: Comparison of risks {ps < r < pa) 



a 


r 


Po 


Qo 


a p 


<J q 


K A 


K B 


^>Box 


P B (r) 


pC A 


P U A 
P C B 


10 


17 


-10 


20 


10 


5 


30 


2 


0.91 


0.9998 


2.3 x 10" 2 


112 


40 


49 


-10 


50 


20 


10 


4000 


10 


0.99 


0.9956 


6.2 x 10~ 3 


2.2 x 10 4 



The boundary of stability is shown in Figure 

In Table 1 we compute the ratio of probabilities of being unstable for both the worst-case and 
probabilistic designs for several situations. The results show that a worst-case controller can be 
thousands of times more risky than a probabilistic controller. Granted that this is a simple first 
order system but our contention is that if it happens even for this simple case then the situation 
can (easily) happen for highly complicated systems. 

It has been the consensus in the field that guarantees with certainty are often required for 
stability and performance in control, while the probabilistic design is a viable approach when 
only probabilistic guarantees are required (see, e.g., lines 16-25, page 4652 of [34 I). From our 
general arguments and the concrete example, we can see that, in a strict sense, "guarantees with 
certainty" are only possible within the modeled uncertainty bounding set. Our contention is that 
such worst-case guarantees may not imply better robustness than probabilistic guarantees because 
of the fact the uncertainty bounding set may not include all instances of uncertainty. 

4 Conclusion 

In this paper, we demonstrate that the deterministic worst-case robust control design does not 
necessarily imply a risk free solution and that, in fact, it can be more risky than a probabilistic 
controller. In the final instance, every design and analysis is subject to a level of risk. The goal 
of design should be to make the risk acceptable, instead of assuming that it can make it vanish. 

It has been acknowledged that probabilistic methods overcome the computational complexity 
and conservatism of worst-case approach at the expense of a probabilistic risk ([TO], p. 1908). 
In fact has been remarked by Kargonekar and Tikku that if one is willing to draw conclusions 
with a high degree of confidence, then the computational complexity decreases dramatically ([20], 
p. 3470). More formally, let e,5 £ (0, 1) and define a system to be e-non-robust if 

vol({<7 £ B | P is violated for q}) 

vol(B) ~ £ ' 

Then one can detect any e-non-robust system with probability greater than 1 — 5 based on N > 
^f- i.i.d. simulations [201138]. 

1 — e 

Recently, Barmish et. al. pointed out that if one is willing to accept some small risk probability 
of performance violation, it is often possible to expand the radius of allowable uncertainty by a 
considerable amount beyond that provided by the classical robustness theory ([2], p. 853). 
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Putting these last two statements in the light of our result make a strong case for the use of 
probabilistic robustness methods. 



A Proportion of Instability of Probabilistic Controller 

The set of values uncertainties bounded in 6(V) which make the system unstable is 

£ Bad (V) = {(§, f) | f > ICb §, |§ - H,| < V, If - y\ < V}. (12) 

Clearly, 

P"(r) 



,b ( ,_ 1 vol{g Bad (V)} 



vol{£(V)} 

We can now compute the proportion of stability P(r) for controller as follows. 



It can be shown that B (V) = for r < ps- Hence 

P s (r) = 1, 0<r<p B . 



For pb < r < we have 

e Bad (v) = <"(§, t) | / + v>t>/c B §, u,-v<§[>. 



We now prove equation f)13[) . For notation simplicity, let the set in the right-hand side of fj 1 2[) 
be denoted as O. Let the set in the right-hand side of (|13p be denoted as <I>. Clearly, 0C$, It 
suffices to show 3$, Let (x,y) £ Then y > Kb x > Kb (qo — r). It can be verified that 
Kb {qo — r) > pq — r ii and only if r < p* B . Hence Po + r > y > Kb x > po — r. From inequalities 
d5|), ([6]) and po + r > Kb x, we obtain x < < qo + r. Therefore, (x, y) £ 0. It follows that 
9 5 $ and thus 8 = Observing that £ Bad (V) is a triangular domain, we find by a geometric 
method 

+ V 



voi{^ Bad (v)} = — /c B I v + ^- n, 



It follows that 



B (r) = l ^-5-^ L p B <r<p B . 



8r 2 

For r > p* B , we have 

B Bad (V) =tU9 (14) 

where 

' i mi I ^ ^ ^ Po - r 

I |y-pol<^ qo~r<x< 



K B 



12 



and 



^ = {( x ,y) \ Po + r>y>K B x, — < x 



We now show ([Tijl. i.e., 9 = SUf. Obviously, SCHUf. It suffices to show 63S and O D ^. 

Let (x,y) G H. Then, i-Ce a; < K_b (t^t) = P$ — r <y. From inequalities ©, © and x < 

we have x < p ^T r < go + r - This proves G 0. Hence 5 C 0. Now let (x,y) G ^f. Then 



y > Kb x > Kb y xj j = Po ~ r - It can be shown that > qo — r if arid only if r > p* B . 
Hence, x > qo — r. From inequalities (J5j) , ([6]) and Kb x < po + r, we have x < ^j^- < go + r. This 
proves (x, y) G and thus $C6. Therefore, the proof for = E U ^ is completed. 

Observing that H is a rectangular domain and ^ is a triangular domain, we obtain by a 
geometric argument 

vol{£ Bad (V)} = GV (v + ^ - H,j 

and thus 



B Probability of Instability of The Worst-case Controller 

Now we derive an exact expression for Pr{ Controller Ca stabilizes the system}. Note that 

Pr{ Controller Ca stabilizes the system} 

f K A 1 

= Pr < p < a, p < q > 

{ a J 

1 f ( (P-P0) 2 \ ( {q-qo? \, , 
ex P ex P d P d 1 



2ira p a q J{ p<a , P <^q) V 2(J p ) V 2cr g 
Introducing new variables 



we have 



where 



P ~ Po q - qo 
y = , x = . 



Pr{ Controller Ca stabilizes the system} 



D xy = | a p y + p < a, a p y + p < —^-{a q x + g )j 

= {(z,y) I y < u, y <kx + v}. 



13 



Therefore, it suffices to compute 
Introducing polar coordinates 

x = pcos6, y = psin9, (15) 

we have 



1=1 exp I — ^— I p dp d6 



where 

D p e = {(p, 0) | psmO < u, psinO < k pcosO + v , pG[0,oo), 9 S [0,2-7r)} . 
We compute the integration 

f = i pxn I — 



1=1 exp ( I pdpde 



over the complement set 

D p o = {(p, 9) | psinO > u or psin9 > k pcosO + v, pe[0, oo), fl G [0, 2-7r)} . 
We claim that -Dpg can be partitioned as two subsets 

A pe = {(p,9)\psme>u, pe[0,oo), 0G[O,^)} 

and 

Bpe = {{p,9) | psinfl > k pcosO + v, pe[0,oo), 0e[0*,27r)} 

such that 

5 pe = A pe U B p9 , A pd n ^ = 0. 

In the proof of the claim, we shall recall that (x, y) is related to (p, 6) by the polar transform 
(fT5|) . To show D p = j4 p e U B p g, we need to consider three cases: Case (a): u > v; Case (b): 
u < v; Case (c): u = v. 

Let k* = tan#* = In Case (a), since < 9* if and only if y < /c*x, it suffices to show the 
following two statements: 

(a-1) y > u if y < k*x, y > kx + v; 
(a-2) y > kx + v if y > u, y > k*x. 
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To show statement (a-1), observing that, as a direct consequence of y < k*x and y > kx + v, 
we have k*x > kx + v, leading to x > k *'_ k - Therefore, y > kx + v > k k , v _ k + v = u. To show 
statement (a-2), we proceed by a contradiction method. Suppose y < kx + v. Then k*x < kx + v, 
which implies x < k ?_ k ■ On the other hand, we have kx + v > u, leading to x > ^jr-- It follows 
that < k *_ k = ^-jr-i which is a contradiction. 

In Case (b), since 9 < 9* if and only if y > k*x, it suffices to show the following two statements: 

(b-1) y > u if y > k*x, y > kx + v; 
(b-2) y > kx + v if y > u, y < k*x. 

To show statement (b-1), observing that k* < because u < v. Hence x > pr. On the other 
hand x < Hence, < leading to y > u. To show statement (b-2), we proceed by 

a contradiction method. Suppose y < kx + v. Then u < kx + v, i.e., x > Consequently, 
y < k*x < k*^^- = u, which is a contradiction. 

In Case (c), since 9 < 9* = ^ if and only if x > 0, it suffices to show the following two 
statements: 

(c-1) y > u if x > 0, y > kx + v; 
(c-2) y > kx + v if y > n, x < 0. 

Statement (c-1) can be shown by observing that, if x > 0, y > kx + v, then y > v = u. 
To show statement (c-2), we proceed by a contradiction method. Suppose y < kx + u. Then 
u < kx + v , i.e., x > = 0, which is a contradiction. 

It can be shown that 



and B p Q = {(p,9) | ps'm9 > k pcos9 + v, p G [0, oo), 9* < 9 < ir + arctan(/c)}. Moreover, we 
can further simplify as 




(16) 




(17) 



To show (fT7|) . it suffices to show 



sin # — k cos > for 



0* < 9 < - 



(18) 



and 



sin# — kcos9 > for — < 9 < ir + arctan(fc). 



(19) 
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To show (fT8|) . one needs to observe that 9* < 9 < ^ implies 

cosg>0, u>v, tan6* > tan(g*) = ku > k 

u — v 

and consequently, sing — kcos9 = cosg (tang — k) > 0. To show f 1 1 9 [) . one needs to observe that 
? < g < 7r + arctan(/c) implies 

cosg < 0, tang < tan(-7r + arctan(/c)) = k 

and consequently, sing — A: cosg = cosg (tang — k) > 0. By ()16|) and (|17p . we have 

r / 



I 



J exp ^-^-^ p dp (19 + J exp^-^j p dp d9 



( p 2 \ 

exp [ — — j p dp d9 



sine 



I exp (-— ) pdpd9 



p= 



sin 9 — k cos 6 



'* f U 2 \ /-7r+arctan(fc) / y 2 

/ XP (~ WgJ de + L« l" 2(sing- fc cosg- 
exp 5— \d9+ exp 5— dg. 

e=0 V 2sm z gy Je=e*-arctan(fe) V 2 Slll z 9 J 



Finally, 

This completes the proof of formula 



Pr{Controller Ca stabilizes the system} = 1 — —I. 



C Probability of Instability of Probabilistic Controller 

Define 



S Pq = {(p, q) I p e K, g£t, p < Kb g} . 



Then 



Pr{ Controller C# stabilizes the system} 
= Pr{(j,,«)eS pa } 

Note that there exists a one-to-one mapping between S pq and 

S*v = {(x,y) \xeR, y<0} 
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so that 



Therefore, 



p = K B x + y, q = x. 



Pr{ Controller C B stabilizes the system} 



1 



2-Ko p <j q J Sx 
1 



exp 



exp 



{K B x + y-poY 

'2 J2 



exp 



(x - qoY 
2a\ 



dxdy 



°P + K B a { x 2 , qoVp-K B cT 2 q (y-po) x (y - p ) 2 q 2 



2o*o* 



2a 2 2a\ 



dxdy 



[q a 2 p - K B a 2 (y - p )} 2 (y - Po ) 2 g g 



H 2a 2 



exp 



4 + g|<j 



gQQ"p ~ K B a 2 (y-p ) 



Using the fact 



we have 



j e -a(x-^ dx = Vq>Q) V^€ (-00,00), 



Pr{ Controller C B stabilizes the system} 

J_ f° r::n I jggj ~ ~ R,)] 2 (y - po) 2 g g \ j 2***a* 

P ^ 2a 2 a 2 ( C r| + i<: 2 a 2 ) 2a 2 * V °2 + ^1 

= -1 / 2 " P* exo f " Z " q " ) dz 

2vr y a% + i^ 2 7_ 00 P (o| + *> 2 ) 2a 2 2a*) ' 

It can be verified that 

[q a 2 p - K B a 2 z] 2 z 2 gg (z + ifg go) 2 

2a 2 a 2 (a 2 + *: 2 C x 2 ) 2a 2 2a\ 2(a 2 + K 2 B a 2 ) ' 

Hence 



Pr{ Controller C# stabilizes the system} 

/ (z + K B g ) 2 




2vr 


r-po 


I + *> 2 


J £ 

—00 


K BlO~P0 






e 2 (fe 




2(<x 2 + Kl a 2 ) 



dz 
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It follows that 



P B = 1 — Pr{ Controller Cb stabilizes the system} 
1 1 _.. r / K B q - po 

2(of + K*o*) 




2 

This completes the proof of formula (jlOfl . 



D Derivation of A Sufficient Condition 

Note that 

P C A = i_p r | p<a p< ^- ( 
{ a 

> 1 - Pr{p < a} 



-I'll 



I [ ° P fx 



2ir J-oc V 2 



„2 



exp — — cte 



= i-ierf ^ 
Therefore, for P Ca > P^ 5 , it suffices to have 



1 1 / a-p \ 1 1 / i^tfo - Po 
ert — , — > ert 



2 2 \^ p> / 2 2 \j 2 (** + K?,**) 



i.e., 



r / « - Po \ ^ n / -Kb<7o - Po 
ert — — — < ert 



Since erf(.) is a monotone increasing function, we have 



a - po -^b<?o - Po 



which is equivalent to 



1+ < 
This completes the proof of condition (jlip . 



K B (J q \ 2 ^ ( K B go - P o x 2 
a - Po 
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